diff --git a/sources/cluster-auth/0.5.9/values.yaml b/sources/cluster-auth/0.5.9/values.yaml index db9164c8..36d70e7a 100644 --- a/sources/cluster-auth/0.5.9/values.yaml +++ b/sources/cluster-auth/0.5.9/values.yaml @@ -3,7 +3,7 @@ replicaCount: 1 image: repository: ghcr.io/silogen/cluster-auth pullPolicy: Always - tag: "0.6.0-rc8" + tag: "0.6.0-rc10" imagePullSecrets: [] nameOverride: "" diff --git a/sources/envoy-gateway-config/templates/envoy-extension-policy-model-header.yaml b/sources/envoy-gateway-config/templates/envoy-extension-policy-model-header.yaml index eb4400b9..02844207 100644 --- a/sources/envoy-gateway-config/templates/envoy-extension-policy-model-header.yaml +++ b/sources/envoy-gateway-config/templates/envoy-extension-policy-model-header.yaml @@ -1,15 +1,11 @@ {{- if .Values.aiGateway.enabled }} -# Lua filter that sets x-ai-eg-model from the request body before ext_authz runs, on the -# ai-gateway (where all AI traffic terminates and is authorized). +# Lua filter that extracts routing headers from the request body before ext_authz runs, +# on the ai-gateway (where all AI traffic terminates and is authorized). # -# The AI Gateway's ext_proc reads the body and sets x-ai-eg-model, but it is inserted via -# xdsTranslator post-hooks which run after filterOrder is applied. So ext_authz (cluster-auth) -# would run without x-ai-eg-model and fall through to a catch-all route with no auth -# annotations, allowing the request regardless of which model is targeted (EAI-6805). -# -# This Lua filter runs early (ordered before ext_authz via the ai-gateway EnvoyProxy -# filterOrder), reads the model field from the JSON body, and sets x-ai-eg-model so -# cluster-auth can match the correct per-model route and enforce cluster-auth/allowed-group. +# Both x-ai-eg-backend and x-ai-eg-model are set from the request body so that the +# 3-condition UUID rule (Host + x-ai-eg-backend + x-ai-eg-model) wins by specificity +# over any catch-all rules in other HTTPRoutes, regardless of HTTPRoute creation order. +# The model-name fallback rule has been removed — clients must supply a backend UUID. apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy metadata: @@ -28,7 +24,12 @@ spec: if body == nil then return end - local model = tostring(body):match('"model"%s*:%s*"([^"]+)"') + local body_str = tostring(body) + local backend = body_str:match('"backend"%s*:%s*"([^"]+)"') + local model = body_str:match('"model"%s*:%s*"([^"]+)"') + if backend ~= nil then + request_handle:headers():replace("x-ai-eg-backend", backend) + end if model ~= nil then request_handle:headers():replace("x-ai-eg-model", model) end